-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathPotentialBufferOverflow.ql
More file actions
46 lines (39 loc) · 1.34 KB
/
PotentialBufferOverflow.ql
File metadata and controls
46 lines (39 loc) · 1.34 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
/**
* @name Potential buffer overflow
* @description Using a library function that does not check buffer bounds
* requires the surrounding program to be very carefully written
* to avoid buffer overflows.
* @kind problem
* @id cpp/potential-buffer-overflow
* @problem.severity warning
* @tags reliability
* security
* external/cwe/cwe-676
*/
import cpp
import semmle.code.cpp.commons.Buffer
abstract class PotentiallyDangerousFunctionCall extends FunctionCall {
abstract predicate isDangerous();
abstract string getDescription();
}
class SprintfCall extends PotentiallyDangerousFunctionCall {
SprintfCall() {
this.getTarget().hasName("sprintf") or this.getTarget().hasName("vsprintf")
}
int getBufferSize() {
result = getBufferSize(this.getArgument(0), _)
}
int getMaxConvertedLength() {
result = this.getArgument(1).(FormatLiteral).getMaxConvertedLength()
}
override predicate isDangerous() {
this.getMaxConvertedLength() > this.getBufferSize()
}
override string getDescription() {
result = "This conversion may yield a string of length "+this.getMaxConvertedLength().toString()+
", which exceeds the allocated buffer size of "+this.getBufferSize().toString()
}
}
from PotentiallyDangerousFunctionCall c
where c.isDangerous()
select c, c.getDescription()